An improved computer network security system and method wherein access to network resources is based on information that includes the location of the connecting user. In general, the less trusted the location of the user, the more the access rights assigned to the user are restricted. A discrimination mechanism and process determines the location of a user with respect to categories of a security policy, such as to distinguish local users, intranet users and dial-up users from one another. Based on information including the location and the user's credentials, an access token is set up that may restrict the user's normal access in accordance with the security policy, such as to not restrict a user's processes beyond the user-based security information in the user's normal access token, while further restricting the same user's access to resources when connecting via a dial-up connection. Restricted tokens are preferably used to implement the location-based discrimination by restricting the security context of users connecting from less trusted locations.
Legal claims defining the scope of protection, as filed with the USPTO.
1. In a computer network wherein a user may selectively connect to the network from one of a plurality of virtual locations, a method of providing improved network security, comprising the steps of, determining a location from where the user is connecting, selecting an access level for the user from at least two distinct access levels based on criteria including the virtual location, connecting the user to the network, creating a restricted token that has reduced access relative to a parent token, the restricted token derived from the parent token and information including the access level, and determining access of the user to network resources based on information in the restricted token.
2. The method of claim 1 further comprising assigning an Internet protocol address to the user, the assigned address dependent on the location from where the user is connecting.
3. The method of claim 1 wherein determining a location from where the user is connecting comprises evaluating an Internet protocol address assigned to the user.
4. The method of claim 3 wherein selecting an access level from at least two distinct access levels includes selecting the access level according to the Internet protocol address.
5. The method of claim 1 wherein determining a location from where the user is connecting comprises determining that the user is connecting to the network via a remote access server.
6. The method of claim 5 further comprising determining whether the user is connecting via a dial-up connection.
7. The method of claim 6 wherein the user is determined to be connecting via a dial-up connection, and further comprising determining the telephone number from which the user is connecting, comparing the telephone number to a list of registered users, and wherein selecting an access level includes selecting one level if the telephone number is in the list and another level if the number is not in the list.
8. The method of claim 1 wherein determining a location from where the user is connecting comprises determining whether the user is connecting to the network via a remote access server, and if the user is connecting via a remote access server, selecting an access level includes selecting an access level corresponding to more restricted access rights.
9. The method of claim 1 wherein determining a location from where the user is connecting comprises determining that the user is connecting to the network via an intranet.
10. The method of claim 1 wherein determining a location from where the user is connecting comprises determining that the user is connecting to the network via a virtual private network.
11. The method of claim 1 wherein determining access to network resources based on information in the restricted token includes determining access based on credentials of the user.
12. The method of claim 1 wherein creating the restricted token for the user includes adding at least one restricted security identifier thereto relative to the parent token.
13. The method of claim 1 wherein the restricted token is associated with each process of the user, and wherein determining access to network resources includes comparing information in the restricted token against security information associated with each network resource.
14. The method of claim 1 wherein creating the restricted token includes removing at least one privilege from the restricted token relative to the parent token.
15. The method of claim 1 wherein creating the restricted token includes creating the restricted token from the user's normal token, and changing attribute information of a security identifier in the restricted token to use for deny only access via that security identifier, relative to attribute information of a corresponding security identifier in the normal token.
16. The method of claim 1 wherein connecting the user to the network includes authenticating the user via a challenge--response protocol.
17. The method of claim 1 wherein connecting the user to the network includes receiving a ticket from the user, the ticket issued by a ticket-issuing facility.
18. The method of claim 1 wherein connecting the user to the network includes receiving a certificate from the user, the certificate issued by a certificate authority.
19. The method of claim 1 wherein creating the restricted token includes creating the restricted token from the user's normal token, including removing at least one privilege from the restricted token relative to the parent token and adding at least one restricted security identifier to the restricted token.
20. The method of claim 12 wherein determining access to network resources includes comparing user information in the restricted token including the at least one restricted security identifier therein against security information associated with each network resource.
21. In a computer network wherein a user may selectively connect to the network from one of a plurality of virtual locations, a system for providing improved network security, comprising, a discrimination mechanism configured to determine a virtual location from where the user is connecting and to select an access level from at least two distinct access levels based thereon, a security provider configured to create a restricted token including information from a parent token associated with the user and information including the access level, the restricted token having less access rights relative to the parent token, and an enforcement mechanism configured to determine user access to network resources according to the restricted token.
22. The system of claim 21 wherein the discrimination mechanism assigns an Internet protocol address to the user based on the virtual location determined thereby.
23. The system of claim 21 wherein the discrimination mechanism evaluates an Internet protocol address assigned to the user.
24. The system of claim 23 wherein the discrimination mechanism selects the access level according to the Internet protocol address.
25. The system of claim 21 wherein the discrimination mechanism determines that the user is connecting to the network via a remote access server.
26. The system of claim 25 wherein the discrimination mechanism further determines that the user is connecting via a dial-up connection.
27. The system of claim 26 further comprising a list of registered telephone numbers and a caller-ID mechanism connected to the discrimination mechanism, and wherein the discrimination mechanism accesses the caller ID mechanism to determine a telephone number of the user, and accesses the list to determine if the telephone number is in the list, and if the telephone number is in the list, determines one access level, and if the number is not in the list, determines another access level.
28. The system of claim 21 wherein the discrimination mechanism determines whether the user is connecting to the network via a remote access server, and if the user is connecting via a remote access server, further selects an access level for the user corresponding to more restricted access rights relative to the user access rights selected for a direct connection to the network.
29. The system of claim 21 wherein the discrimination mechanism includes means for determining when the user is connecting to the network via an intranet.
30. The system of claim 21 wherein the discrimination mechanism includes means for determining when the user is connecting to the network via a virtual private network.
31. The system of claim 21 wherein the security provider sets up the access rights of the user based on information including the credentials of the user.
32. The system of claim 21 wherein the security provider creates the restricted access token by deriving information from a normal access token associated with the user.
33. The system of claim 32 wherein the restricted token is associated with each process of the user, and wherein the enforcement mechanism determines access to the network resources by comparing information in the restricted token against security information associated with each network resource.
34. In a computer server having files thereon, a method of selectively restricting access to the files, comprising, receiving a request from an entity to access a file, selecting an access level for the entity from at least two distinct access levels based on criteria including the type of entity and a virtual location of the entity, deriving a restricted token from data in a parent access token associated with the entity and data corresponding to the access level, and determining access of the entity to the file based on information in the restricted token versus an access control list associated with the file.
35. The method of claim 34 wherein the entity is a process of a remote computer system, and wherein selecting an access level for the entity from at least two distinct access levels includes assigning a first access level for processes of the local server and a second access level for processes of remote computers.
36. The method of claim 34 wherein the entity is a script running on the computer server, and wherein selecting an access level for the entity from at least two distinct access levels includes assigning a distinct access level for scripts.
37. The method of claim 34 wherein the entity is an FTP server running on the computer server, and wherein selecting an access level for the entity from at least two distinct access levels includes assigning a distinct access level for FTP servers.
38. The method of claim 34 wherein the entity is a process of a proxy, and wherein selecting an access level for the entity from at least two distinct access levels includes assigning a first access level for processes of the local server and a second access level for processes of proxies.
39. The system of claim 21 wherein the restricted token has at least one privilege removed therefrom relative to the parent token.
40. The system of claim 21 wherein the restricted token has a security identifier modified to have less access rights than a corresponding security identifier in the parent token.
41. The system of claim 21 wherein the restricted token has at least one restricted security identifier added thereto relative to the parent token.
42. A computer-readable medium having computer-executable instructions, which, when executed on a computer, perform a method comprising: determining a virtual location from where a remote computer is connecting to a computer network, wherein the remote computer may selectively connect to the computer network from one of a plurality of virtual locations; selecting an access level for the remote computer from at least two distinct access levels based on criteria including the virtual location; connecting the remote computer to the network; creating a restricted token that has reduced access relative to a parent token associated with a user of the remote computer, the restricted token derived from the parent token and information including the access level; and determining access of the remote computer to network resources based on information in the restricted token.
43. A computer-readable medium having computer-executable instructions, which, when executed on a computer, perform a method comprising: receiving a request from an entity to access a file of a computer server; selecting an access level for the entity from at least two distinct access levels based on criteria including the type of entity and a virtual location of the entity; deriving a restricted token from data in a parent access token associated with the entity and data corresponding to the access level; and determining access of the entity to the file based on information in the restricted token versus an access control list associated with the file.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
June 12, 1998
October 23, 2001
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.